Open firewall for Expo node project (windows)

If you are testing your mobile app from a real devicc and need to access your expo app locally, here’s an example of opening the ports for the necessary services. (Windows powershell (admin))

# Allow Node.js inbound
New-NetFirewallRule -DisplayName "Node.js" -Direction Inbound -Program "C:\Program Files\nodejs\node.exe" -Action Allow

# Allow specific Expo port
New-NetFirewallRule -DisplayName "Expo Dev Server" -Direction Inbound -Protocol TCP -LocalPort 8081 -Action Allow

# Allow Metro bundler port range
New-NetFirewallRule -DisplayName "Metro Bundler" -Direction Inbound -Protocol TCP -LocalPort 19000-19006 -Action Allow

Docker Swarm mode, target/published

I am using Docker Swarm mode on my VPS solely for the purpose of using docker secrets.
The purpose of using docker secrets (limited with swarm mode) is obviously to not have any sensitive data on the localhost. With that said, I wanted to go outside the swarm network and directly bind ports to the host’s network.

Example docker-compose.yml as follows:

services:
    btc_mongodb:
        image: mongo:8.0.9-noble
        deploy:
            restart_policy:
                condition: any
                delay: 5s
                max_attempts: 3
                window: 120s
        environment:
            MONGO_INITDB_ROOT_USERNAME_FILE: /run/secrets/mongo_root_username
            MONGO_INITDB_ROOT_PASSWORD_FILE: /run/secrets/mongo_root_password
        ports:
            - target: 27017
              published: 27017
              protocol: tcp
              mode: host
        command: ["mongod", "--bind_ip", "0.0.0.0", "--maxConns", "10000"]
        volumes:
            - db:/data/db
        secrets:
            - mongo_root_username
            - mongo_root_password
        networks:
            - mongodb_network
        healthcheck:
            test: ["CMD", "mongosh", "--eval", "db.adminCommand('ping')"]
            interval: 30s
            timeout: 10s
            retries: 3

networks:
    mongodb_network:
        driver: overlay
        attachable: true

volumes:
    db:
        name: mongodb

secrets:
    mongo_root_username:
        external: true
    mongo_root_password:
        external: true
# The following snippet is the port settings to directly link with the host

        ports:
            - target: 27017
              published: 27017
              protocol: tcp
              mode: host

Settings up fail2ban with firewalld (sshd)

The best solution to counter brute force attacks would to maintaining a allowed list of static IPs + limiting ssh access to ssh key pairs. This was the plan until I wanted to use Github actions to remote into my server. I decided to counter the ssh brute force attacks with fail2ban.

---1 install package
dnf install fail2ban

---2 enable service and check status
systemctl enable fail2ban
systemctl start fail2ban
systemctl status fail2ban

---3 setup configuration file (/etc/fail2ban/jail.local)
----- Change values accordingly. action= is taken from the conf 
----- action templates from (/etc/fail2ban/action.d/)

/etc/fail2ban # cat jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
# 3600 1 hour
findtime = 3600
#bantime = 3600
bantime = 604800
action = firewallcmd-rich-rules[blocktype=reject, protocol=tcp]

---4 restart fail2ban
systemctl restart fail2ban
systemctl status fail2ban



You could manually test ban/unban to see check if firewall rules have changed.

fail2ban-client set sshd banip IPADDRESS
fail2ban-client set sshd unbanip IPADDRESS
firewall-cmd --list-rich-rules